@pmatilai commented on this pull request.
> +unique tags (just like the Header). Details about these tags and the
> information
+they store can be found [here](signatures_digests.md).
+
+RPM v4 packages are expected to contain at least one of SHA1HEADER or
SHA256HEADER
+tags, providing a cryptographic digest of the main header, and may contain one
+or both of the PAYLOADDIGEST and PAYLOADDIGESTALT tags, providing a
cryptographic
+digest of the package payload in the compressed and uncompressed forms,
respectively.
+
+If the package has been cryptographically signed using OpenPGP, an RSAHEADER or
+DSAHEADER tag ought to be present, which contains an OpenPGP signature of the
+package header. Which tag is present depends on which of the two (supported)
+OpenPGP algorithms was used at signing time. Using a key based upon the RSA
+algorithm to sign the package will result in the signature being stored in the
+RSAHEADER tag, whereas the use of the EdDSA (ed25519) algorithm will use the
+DSAHEADER tag instead. The name of the DSAHEADER tag is a historical artifact,
+it originally referred to the long-obsolete DSA algorithm but was later reused
It's not a historical artifact in the context of package format, there exists
mountains of DSA signed rpm v4 content. That the algorithm is now obsolete is
of little consequence when we're describing a format with a timespan of > 15
years. But yes, EdDSA and DSA share the same tag.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2835#pullrequestreview-1810658045
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/2835/review/1810658...@github.com>
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
